The events or manifestations that give rise to safety concerns typically have a negative valence and lead to unexpected and unacceptable outcomes, with names that signify the severity of the outcomes (ranging from incidents via accidents to disasters). Since they have a negative valence the natural response is to try to avoid them, or at least to reduce their number. This preoccupation with the negative was recognised by Professor James Reason, who in 2020 wrote about the paradoxes of safety and pointed out that hat safety is defined and measured more by its absence than its presence. The efforts to reduce the number of unexpected and unacceptable outcomes signify a decremental approach to safety, where the completely aim is to have zero unexpected and unacceptable outcomes. Since safety is measured by the number of unexpected and unacceptable outcomes, the result is a relation where the magnitude of the output is inversely related to the magnitude of the input. The efforts spent to further decremental safety are therefore a cost, which at best may save the losses incurred by a major unexpected and unacceptable outcome. The ultimate goal of having no unexpected and unacceptable outcomes at all is, however completely unattainable due to the inevitable unpredictability of processes and conditions that follow from the law of entropy. There is, fortunately, a sensible logical alternative to decremental safety and the fruitless efforts to increase the absence of safety, namely to adopt a positive stance and instead increase the presence of safety, i.e., to try to have as many expected and acceptable outcomes as possible. This corresponds to a 180 degrees change of course Since safety in this way measured by the number of expected and acceptable outcomes, the relation is one where the magnitude of the output is directly related to the magnitude of the input. The efforts spent to further decremental safety are therefore an investment. he ultimate goal of having only expected and acceptable outcomes is also completely unattainable due to the inevitable unpredictability of processes and conditions that follow from the law of entropy.
But it is less of a calamity because each step serves to increase the number of expected and acceptable outcomes. This is an incremental approach to safety that obviously makes good business sense and in the end leads to a reduction of the number of unexpected and unacceptable outcomes, simply because an outcome can neither be both expected and unexpected at the same time nor both acceptable and unacceptable. Expected and acceptable outcomes characterise work that goes well , but unlike the negative outcomes the current safety legacy has neither methodology nor terminology to support this aim.
Incremental safety tries to increase the presence of safety instead of increasing the absence of safety, with the ultimate goal that there only are expected and acceptable outcomes. This is, of course, as unrealistic as the goal of decremental safety and for the very same reasons. But whereas decremental safety and the pursuit of the Zero Accident Vision represent a cost. Incremental safety and the pursuit of the corresponding visio centum represents an investment. It will in the end not only reduce the number of unexpected and unacceptable outcomes but also lead to more expected and acceptable outcomes on the way. Choosing incremental safety over decremental safety is therefore an obvious nobrainer.
The purpose of incremental safety isd to ensure that work produces a reliable flow of expected and acceptable outcomes rather than to prevent that work occasionally, but rarely leads to unexpected and unacceptable outcomes
The full text of the Incremental Safety Manifesto is here
Precis: Resilience Engineering is obviously the intellectual progenitor of incremental safety. This essay recounts how resilience engineering came about, and also tries to explain why resilience engineering did fulfill the expectations by which it was met, specifically to become the long awaited replacement of the Safety Legacy (SL). RE was the reason for proposing Safety-I and Safety-II, and since Safety-II now is morphing into incremental safety, RE is clearly also part of the foundation for incremental safety.
Presis: Decremental safety and incremental safety do not define two different types of safety, but two different ways or approaches to become safer and to achieve a state of safety. There can in fact be only one definition of safety, namely as the state where there are as few unexpected and unacceptable outcomes as possible. One of the problems of safety is how it is defined. Jim Reason nailed the definition problem, when he introduced the four paradoxes of safety (Reason, 2000). Understanding these paradoxes is important for any kind of safety-related activity, and is practically a precondition for incremental safety
Precis: While the human factor initially was about the shortcomings of human performance relative to the perfection of machines (epitomised by the Fitts’ List) it soon became associated with one specific feature, namely the unpredictability and unreliability, that turned into the concern for human error, in the sense that variable and unreliable performance of humans quickly became the favourite candidate for causes of UUOs. This essay will present a broader view of human factors. The particular human error view is the topic of the following fourth essay.
Humans as presumably sentient beings feel anxious whenever something unexpected happens, particularly if it also brings unacceptable outcomes. One thousand years ago the Muslim scholar Ibn Hazm (994-1064) wrote that “The chief motive of all human actions is the desire to avoid anxiety.” In the 19th century the great German philosopher (Friedrich Nietzsche (1844-1900) elaborated “To trace something unfamiliar back to something familiar is at once a relief, a comfort and a satisfaction, while it also produces a feeling of power. The unfamiliar involves danger, anxiety and care -the fundamental instinct is to get rid of these painful circumstances. First principle - any explanation is better than none at all.” In their attempts to find a socially acceptable cause people usually ,and involuntarily, make an efficiency-thoroughness trade-off and settle for the cause that represents the default explanation in the current age of safety, cf. Table 1. This is why the preferred cause in the second age of safety became human error. It was first of all convenient, it was also immediately understood and accepted by others. And it finally corroborated with the experience everyone have that they sometimes act in a way that leads to UUOs.
Essay 7: The role and purpose of investigations, the model versus method dilemma.
Essay 8: The modelling dilemma:
Essay-11: How to establish and maintain an ISC. The Four Systemic Potentials